Dear hacker: Please help us eavesdrop on our customers

Mobily, a Saudi Arabian telecommunications company with 4.8 million subscribers, is working on a way to intercept encrypted data sent over the Internet by Twitter, Viber, and other mobile apps, a security researcher said Monday.

Moxie Marlinspike, the pseudonymous cryptographer who has identified several security bugs in the secure sockets layer protocol used to protect website transactions, said he learned of the project after receiving an e-mail from company officials. Carrying the subject line "Solution for monitoring encrypted data on telecom," it said the project was required by "the regulator." Marlinspike believed this meant the government of Saudi Arabia. In follow-up e-mails, the Mobily officials said they were looking for ways to bypass the protections built into the SSL and Transport Layer Security protocols so telecom workers could monitor messages spreading terrorism.

"One of the design documents that they volunteered specifically called out compelling a [certificate authority] in the jurisdiction of the UAE or Saudi Arabia to produce SSL certificates that they could use for interception," Marlinspike wrote in a blog post. "A considerable portion of the document was also dedicated to a discussion of purchasing SSL vulnerabilities or other exploits as possibilities."

Mobily representatives didn't respond to an e-mail seeking comment for this article.

Marlinspike, who recently left Twitter after working in the company's security department, continued:

"Their level of sophistication didn’t strike me as particularly impressive, and their existing design document was pretty confused in a number of places, but Mobily is a company with over five billion in revenue, so I’m sure that they’ll eventually figure something out. What’s depressing is that I could have easily helped them intercept basically all of the traffic they were interested in (except for Twitter—I helped write that TLS code, and I think we did it well). They later told me they’d already gotten a WhatsApp interception prototype working and were surprised by how easy it was. The bar for most of these apps is pretty low."

Marlinspike said it was "rude" of him to publish the details of a private correspondence but that it was "substantially more rude of them to be engaged in massive-scale eavesdropping of private communication." He warned readers about the influence wealthy governments are having on hackers and security researchers. That is primarily driven by the large scale purchase of security exploits used to compromise computers and eavesdrop on citizens. For a good understanding of how it all works, see this article published Friday by Reuters reporter Joseph Menn.

"Really, it’s no shock that Saudi Arabia is working on this, but it is interesting to get fairly direct evidence that it’s happening," Marlinspike wrote. "More to the point, if you’re in Saudi Arabia (or really anywhere), it might be prudent to think about avoiding insecure communication tools like WhatsApp and Viber (TextSecure and RedPhone could serve as appropriate secure replacements), because now we know for sure that they’re watching. For the rest of us, I hope we can talk about what we can do to stop those who are determined to make this a reality, as well as the ways that we’re already inadvertently a part of that reality’s making."

Promoted Comments

Except for vulnerabilities in the SSL/TLS libraries, an app can be more secure than a web page. A browser check only that the certificate is valid but an app could even check if exactly a specific certificate is used. So at least I expect whatsapp & co to do at least that to counter certificate based attacks. They could even force TLS 1.2 or even a stronger encryption...

Twitter does this (and I have verified), but the vast majority of apps do not - and actually go one worse.

It is extraordinarily common for apps to deliberately disable validation and accept any cert, literally any cert the library can parse. I've found this in very popular apps run by legitimate businesses. Sometimes it gets fixed but sometimes it's "not a bug."

Chrome is basically in the best situation right now, as it contains pinnings for Google and such.

29 Reader Comments

Except for vulnerabilities in the SSL/TLS libraries, an app can be more secure than a web page. A browser check only that the certificate is valid but an app could even check if exactly a specific certificate is used. So at least I expect whatsapp & co to do at least that to counter certificate based attacks. They could even force TLS 1.2 or even a stronger encryption...

Eh I'm torn...It is us they are looking to blow up. I'd feel better knowing somebody was watching them. Course then again who believes the Saudi government is looking out for us? Then again should everybody get monitored because of the bad actors? Was going to say a few but I think we all know there are a lot of them funding and supporting these terrorist morons.

Except for vulnerabilities in the SSL/TLS libraries, an app can be more secure than a web page. A browser check only that the certificate is valid but an app could even check if exactly a specific certificate is used. So at least I expect whatsapp & co to do at least that to counter certificate based attacks. They could even force TLS 1.2 or even a stronger encryption...

Twitter does this (and I have verified), but the vast majority of apps do not - and actually go one worse.

It is extraordinarily common for apps to deliberately disable validation and accept any cert, literally any cert the library can parse. I've found this in very popular apps run by legitimate businesses. Sometimes it gets fixed but sometimes it's "not a bug."

Chrome is basically in the best situation right now, as it contains pinnings for Google and such.

Except for vulnerabilities in the SSL/TLS libraries, an app can be more secure than a web page. A browser check only that the certificate is valid but an app could even check if exactly a specific certificate is used. So at least I expect whatsapp & co to do at least that to counter certificate based attacks. They could even force TLS 1.2 or even a stronger encryption...

Twitter does this (and I have verified), but the vast majority of apps do not - and actually go one worse.

It is extraordinarily common for apps to deliberately disable validation and accept any cert, literally any cert the library can parse. I've found this in very popular apps run by legitimate businesses. Sometimes it gets fixed but sometimes it's "not a bug."

Chrome is basically in the best situation right now, as it contains pinnings for Google and such.

Opera supports TLS 1.2 and strict certificate verification. It has to be turned on manually because many sites break with TLS 1.1 and 1.2

I'm betting that they'll catch minor criminals in this venture, but not too many of the serious threats. Organized terrorist groups know that they're being watched, and as such, they probably already use more secure communication tools.

But then again... even otherwise intelligent people often do stupid things, so you can never be sure what the results will be until you've tried.

Except for vulnerabilities in the SSL/TLS libraries, an app can be more secure than a web page. A browser check only that the certificate is valid but an app could even check if exactly a specific certificate is used. So at least I expect whatsapp & co to do at least that to counter certificate based attacks. They could even force TLS 1.2 or even a stronger encryption...

Twitter does this (and I have verified), but the vast majority of apps do not - and actually go one worse.

It is extraordinarily common for apps to deliberately disable validation and accept any cert, literally any cert the library can parse. I've found this in very popular apps run by legitimate businesses. Sometimes it gets fixed but sometimes it's "not a bug."

Chrome is basically in the best situation right now, as it contains pinnings for Google and such.

I have seen this too. They accept any cert. Or they throw a dialog once and ask the user if they want to accept an invalid cert. Once. User will naturally click OK or Yes and will never see that dialog again.... until MIM offers a different cert and they again click Yes.

Terrible. Invalid certs need to be rejected. Period. The connection needs to be dropped with no way for end user to get around it. The only way to get invalid certs to work should be at the command line importing them by hand into the cert store for testing purposes.

Chrome is basically in the best situation right now, as it contains pinnings for Google and such.

Trusting Google and it's products with security is like trusting your 401K to a broker. It's only good as long as everything is merry. When it hits the fan, you know they will open things up even before they are asked to. The worst part is they wont even tell you that they just let some do-hickey monitor your account.

Except for vulnerabilities in the SSL/TLS libraries, an app can be more secure than a web page. A browser check only that the certificate is valid but an app could even check if exactly a specific certificate is used. So at least I expect whatsapp & co to do at least that to counter certificate based attacks. They could even force TLS 1.2 or even a stronger encryption...

Twitter does this (and I have verified), but the vast majority of apps do not - and actually go one worse.

It is extraordinarily common for apps to deliberately disable validation and accept any cert, literally any cert the library can parse. I've found this in very popular apps run by legitimate businesses. Sometimes it gets fixed but sometimes it's "not a bug."

Chrome is basically in the best situation right now, as it contains pinnings for Google and such.

Opera supports TLS 1.2 and strict certificate verification. It has to be turned on manually because many sites break with TLS 1.1 and 1.2

It's not the only one to support TLS 1.2, but what's strict certificate verification?

Except for vulnerabilities in the SSL/TLS libraries, an app can be more secure than a web page. A browser check only that the certificate is valid but an app could even check if exactly a specific certificate is used. So at least I expect whatsapp & co to do at least that to counter certificate based attacks. They could even force TLS 1.2 or even a stronger encryption...

Twitter does this (and I have verified), but the vast majority of apps do not - and actually go one worse.

It is extraordinarily common for apps to deliberately disable validation and accept any cert, literally any cert the library can parse. I've found this in very popular apps run by legitimate businesses. Sometimes it gets fixed but sometimes it's "not a bug."

Chrome is basically in the best situation right now, as it contains pinnings for Google and such.

But of course.

You disable validation during development, because during development you just use self-signed certs and whatnot.

And then that's how you ship the thing.

Though for application endpoints, I wonder if it wouldn't be better for applications to use privately-issued certificates, and store a private root certificate within the app. That would tend to protect against CA compromise.

It sounds like one of the tactics this Saudi telcom would like to use is to strong arm a trusted CA into issuing certificates that match the common names of the real certificates being presented by sites like Twitter.

If they succeed with something like this, the certificate is technically valid and trusted because it is coming from a trusted certificate authority. No errors would be thrown.

It would be up to the end user to carefully look at certificates being presented for 100% correct information.

If any CA did this, I would hope their CA cert chain would instantly be revoked but that would mean that any user of IE, Chrome, Firefox would have to get an update to their list of trusted authorities.

There was a day when being a CA meant something -- hopefully that doesn't change.

Back to the future. I'm reminded of a story from the late 80s and early 90s when businesses used faxes for important communications prior to the widespread use of email. Faxes sent to foreign countries routinely were copied and sent off to the ministry/department of industrial/technological/economic/etc development, which in turn shared it with their nationalized or private domestic companies to help them compete. It's supposedly one of the drivers behind the use of encrypted faxing, which itself started to die off as email and encrypted email came into play.

It sounds like one of the tactics this Saudi telcom would like to use is to strong arm a trusted CA into issuing certificates that match the common names of the real certificates being presented by sites like Twitter.

If they succeed with something like this, the certificate is technically valid and trusted because it is coming from a trusted certificate authority. No errors would be thrown.

It would be up to the end user to carefully look at certificates being presented for 100% correct information.

If any CA did this, I would hope their CA cert chain would instantly be revoked but that would mean that any user of IE, Chrome, Firefox would have to get an update to their list of trusted authorities.

There was a day when being a CA meant something -- hopefully that doesn't change.

The only crypto keys one can really-really-really trust are those one has generated oneself. How much one can trust a digital certificate signed by a CA depends upon what one is doing. I'm pretty happy trusting a digital certificate when sending my credit card number to Amazon. If I were (condition contrary to fact) conspiring to blow something up, you can bet your last nickel I'd be using public key crypto and I'd have found a way to verify my co-conspirators' key fingerprints personally.

So how does one go about stripping out unnecessary CA's from a browser or OS? Is there any list of major CA's you're likely to run into in a given geographic area or something, so you can trim out any extras? Or a Ghostery for CA's or the like? I see no reason to accept a cert for my-bank.com from Outer-Lower Uzbekistan or whatever.

So how does one go about stripping out unnecessary CA's from a browser or OS? Is there any list of major CA's you're likely to run into in a given geographic area or something, so you can trim out any extras? Or a Ghostery for CA's or the like? I see no reason to accept a cert for my-bank.com from Outer-Lower Uzbekistan or whatever.

You can see, and in some cases, work with, from the advanced options of your browser. In firefox for instance: Tools > Advanced > Encryption > View Certificates

From there you have Authorities and various other lesser options, and you can import/export Certs at your will, or delete/distrust them.

So theoretically if you wanted to set-up your own CA chain, and only use things signed by said chain on an internal network (or on a darknet perhaps?) you could manually make the changes there.

Elsewise I would suggest grabbing an open-source browser and modifying it in code, package an installer, and distribute your custom browser to your network of cohorts who have chosen to trust your CA over StartSSL, Verisign and the other big players who granted, many of which have not done anything special in recent years to earn our trust.

It only drives the criminals to find newer and more clever ways not to get caught.

How is it proven not to work? I am vehemently against this measure, and similar policies across the world, but you'll do well to note that some of the most crime-free places on earth are Japan (very authoritarian society, with powerful and unsupervised police, and little respect for liberty) and Singapore (downright totalitarian society).

Again, I am against these policies. I just believe it's important to acknowledge the tradeoffs that we make in our personal and societal belief systems.

It only drives the criminals to find newer and more clever ways not to get caught.

How is it proven not to work? I am vehemently against this measure, and similar policies across the world, but you'll do well to note that some of the most crime-free places on earth are Japan (very authoritarian society, with powerful and unsupervised police, and little respect for liberty) and Singapore (downright totalitarian society).

Again, I am against these policies. I just believe it's important to acknowledge the tradeoffs that we make in our personal and societal belief systems.

It only drives the criminals to find newer and more clever ways not to get caught.

How is it proven not to work? I am vehemently against this measure, and similar policies across the world, but you'll do well to note that some of the most crime-free places on earth are Japan (very authoritarian society, with powerful and unsupervised police, and little respect for liberty) and Singapore (downright totalitarian society).

Again, I am against these policies. I just believe it's important to acknowledge the tradeoffs that we make in our personal and societal belief systems.

We're getting a little off topic (I'm doing a lot of CA/SSL/TLS work currently which is my primary interest in this article) however:

The fact that the police in these countries (and a few others) are almost above the law are a deterrent in themselves. However this does tend to cause a gulf between petty crimes and large, organised crime. Petty criminals will often be treated with swift and barbaric justice (sometimes in public, as I've witnessed in singapore to a purse snatcher left beaten and broken by two men claiming to be police) and members of organised crime are, generally, 1: harder to catch (either through their own intelligence or bribery), 2: able to protect themselves in numbers or violently (or both).

//edit: typing like a demented monkey this morning, more coffee needed.

I have seen this too. They accept any cert. Or they throw a dialog once and ask the user if they want to accept an invalid cert. Once. User will naturally click OK or Yes and will never see that dialog again.... until MIM offers a different cert and they again click Yes.

Terrible. Invalid certs need to be rejected. Period. The connection needs to be dropped with no way for end user to get around it. The only way to get invalid certs to work should be at the command line importing them by hand into the cert store for testing purposes.

While I agree in theory, pretty much every system I've used to turned on 'out of the box' that uses certificates almost always throws up the 'confirm security exception' box when I try to access them. From OSX Server's wiki to Synology's NAS webapp, these services (imo) are meant to be a few quick clicks to setup.

There are still people who will realize that combining other encryption algorithms over ssl would secure their communications yet again, it is almost impossible to decrypt truly secret messages (terrorist messages?).

Eh I'm torn...It is us they are looking to blow up. I'd feel better knowing somebody was watching them. Course then again who believes the Saudi government is looking out for us? Then again should everybody get monitored because of the bad actors? Was going to say a few but I think we all know there are a lot of them funding and supporting these terrorist morons.

We (the US) have proactively been monitored in some fashion by its Government long before all of this came to light. Make the assumption that any external communication you have using most any modern technology is being monitored.

So since I use these apps I was a bit concerned and wrote to WhatsApp, referring them to the article and hoping they might investigate or at least defend the integrity of their product. Here's their response:

Quote:

The information in the blog post is unverified and unconfirmed. Until we are presented with evidence and data, we will treat the information as false

So since I use these apps I was a bit concerned and wrote to WhatsApp, referring them to the article and hoping they might investigate or at least defend the integrity of their product. ...

Interesting follow-on blog post, xlynx. It seems obvious to me that, if the telco has indeed simulated a certificate, (as they appear to claim) then they would be able to pass intercepted traffic along to WhatsApp with no changes at all (not even to the originating IP address) since they control one point within the data transit path... so if it was done right, then there would be no evidence to find, without following the steps you suggested, and verifying the authenticity of the server cert from within the app. (You'd think this step would be standard procedure these days, anyway.... but maybe not.)

In any event, WhatsApp's response that they are unwilling to even investigate until they have "evidence" is either foolhardy or intentionally off-putting. If I were at all cynical, I'd have to assume from that response (and lack of follow-up responses) that they are already in collusion with the governmental/telco entities in question -- and likely, other gov/telco entities as well -- and have no real interest in "fixing" the issue.

We (the US) have proactively been monitored in some fashion by its Government long before all of this came to light. Make the assumption that any external communication you have using most any modern technology is being monitored.